Today I wanted to copy a folder from my web space via SSH using rsync. I tried it locally first and it worked wonderfully. Then I tried the whole thing on a host behind ipfire. Unfortunately, it was unsuccessful. I can ping the web server but I can’t connect via ssh. Nothing happens for a long time and then it times out.
Ipfire is completely open for outgoing traffic. There are no restrictions for hosts in the orange zone. But I still tried to create a rule for it that is at the top and explicitly allows traffic from the orange zone to this web server. Unfortunately, that was also unsuccessful.
I don’t see anything being blocked in the logs. OK, maybe I’m looking in the wrong place - I don’t know.
Maybe it’s really simple and someone can give me a tip. That would be super cool. Thanks in advance.
The rule that has the source from the web server should have destination NAT instead of source NAT.
Its been a few years since I used the iptables command this way, which this system is using that in the background.
But the accept entry should be the other way around as it should be
source → web server
destination → orange server ip
if I’m reading this web gui entry correctly.
Otherwise, you will have to use RED as the source instead of the web server and select the - preset - service SSH
But the server ip address on orange has to be used instead of the network. Otherwise its just granting the web sever access to the orange network without a node point to use it.
I think I got it:
Our company is renting a room/store in another company, so we use there internet connection for our servers. On the firewall that our firewall is connected to, only ports 80/443 and 8000-9999 are allowed through to our firewall. So if I make a SSH request to the web server outside on port 22, it might respond for example on port 5347 instead of 22. On the way back, this response gets dropped by the other firewall. At least I think so…
yes that is what is going on, because the response will returned on the configured ssh port.
If you change the ssh port on the web server to a port range you have incoming, then it will work. I would suggest you to use port 8888 for that since that is a routing port number reserved for ssh in that range.
so you don’t have access to the web server’s admin panel through https://accounts.hetzner.com ? But just SSH acceess?
Because if this is something you have to connect to all the time, the port 22 has to be changed there, or purchase an ssh proxy to forward, or use one of the web ssh client service like https://sshwifty-demo.nirui.org/
it actually not hetzner itself. It is a sub company they hosts at hetzner.
So I do not have the chance to change something like ssh port.
Now, i’m glad to know why it doesn’t work. How it comes to work? There are different way to solve it. One way is an own internet connection. The other way is to put our server in a server center. The price seems to be not far from each other.
